Apart from those apps that register users for unwanted services and those that aggressively push ads, Android users should also worry about apps with backdoor capabilities.

While premium service abusers and adware accounted for the majority of malicious apps in 2012, they are, however, not the only threats to Android. Reports of a botnet running on more than a million of smartphones recently made the headlines, which goes to show that attacks aimed at Android devices are varied and far from over.

Prior to these reports, we have been seeing these malware  since July 2012 and have so far detected 4,282 in the wild. The related samples we analyzed (detected by Trend Micro as ANDROIDOS_KSAPP.A, ANDROIDOS_KSAPP.VTD, ANDROIDOS_KSAPP.CTA, ANDROIDOS_KSAPP.CTB, and AndroidOS_KSAPP.HRX ) were from a certain third-party app store, though we suspect there are other available several sites. Typically, these apps are marketed as gaming apps, some of them bearing or are repackaged versions of popular gaming titles.

The first batch of samples we analyzed was packaged using the same app title, purportedly from the same company.

Once any of these malicious apps is installed in a device, it communicates to the following remotes sites to acquire compressed script then parses the said script:

• http://{BLOCKED}y.{BLOCKED}i.com:5222/kspp/do?imei=xxxx&wid=yyyy&type=&step=0
• http://{BLOCKED}n.{BLOCKED}1302.com:5222/kspp/do?imei=xxxx&wid=yyyy&type=&step=0
• http://{BLOCKED}1.com:5101/ks/do?imei=xxxx&wid=yyyy&type=&step=0

Read the rest of this entry »

Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known but easily forgotten safe computing practices.

Based on our initial analysis, these WORM_VOBFUS variants that do not show any advanced routine or propagation technique. However, based on our Smart Protection Network™ feedback, the infection of these malware grew the past days.

Aside from spreading on Facebook, there is nothing new so far about WORM_VOBFUS. So why is it still a problem? Below are some persistent issues surrounding WORM_VOBFUS.

Read the rest of this entry »

This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:

The full paper can be found here.

Virtual assets – in the form of currency, equipment, or membership in online games – have significant real-world value as well. This is particularly true in China, were online games are a very popular form of entertainment.

Despite this real-world value, laws to protect virtual asset theft are neither well developed nor effectively enforced. Because of this, some members of the Chinese underground prefer to target these kinds of assets rather than real-money items.

The diagram below illustrates the value chain of virtual assets theft in China:

Broadly speaking, the value chain has three phases: first, the login credentials for online games are stolen via malware or phishing. In the next phase, the credentials are used to steal virtual assets such as in-game money, equipment, or even the account itself. Finally, the crime is monetized by selling these in online marketplaces – for real money.
Read the rest of this entry »

We received inquiries about the Gauss attack, which garnered significant media attention as it drew comparisons to Flame. Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. Researchers also surmised that this is possibly the latest among the strings of state-sponsored attacks, which gathered awareness with the discovery of STUXNET in 2010.

Similarities with Flame

As readers may recall, Flame was touted as a cyber espionage tool that executes several information stealing techniques including screen shots capture and audio recording. Similar to Flame, Gauss was discovered to have targeted several countries in the Middle East.

Aside from its geographic scope, Gauss and Flame share several noteworthy technical commonalities, such as:

• Both were written on the same programming language (C++)
• Employed the same .LNK exploit vulnerability (CVE-2010-2568)
• Used USB as a storage for stolen information/data
• Designed to steal browser history/cookies
• Used same encryption method (XOR)
• Contained similar command and control (C&C) structure

These shared denominators lead researchers to conclude that Gauss may be the handiwork of the same people behind Flame. Despite these similarities, Gauss was designed to focus on stealing information from Lebanese banks like Bank of Beirut, BlomBank, ByblosBank, FransaBank and Credit Libanais among others. It was also found to target other entities such as Citibank and online payment system PayPal. To some experts, this fixation on Lebanese banks was proof that this attack may be sponsored by a particular state.

Trend Micro products protect users from this by detecting and deleting the related malware and blocking access to the C&C IP addresses. We will amend this blog entry for further updates.

Update as of August 13, 2012 2:17 AM PST

Trend Micro detects the file components of this threat as TSPY_GAUSS.A.

Update as of August 15, 2012 5:35 PM PST

Trend Micro detects the related malicious JavaScript of this threat as JS_GAUSS.A. Gauss-related URLs were also blocked via web reputation service.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

This is part of a series of blog posts discussing the Chinese underground; the introductory post can be found here. The full paper can be found here.

Broadly speaking, the Chinese underground operates with four distinct but inter-related value chains. These are:

1. Real money theft
2. Virtual assets theft
3. Internet resources and services abuse
4. Blackhat techniques, tools, and training

We’ll discuss each chain in its own separate blog post. For know, we will concentrate on the first: real money theft.

More and more users in China are participating in online commerce. 37.8% of Chinese Internet users, or 194 million users, have engaged in online shopping by late 2011. 167 million and 166 million users took part in online payment and online banking systems. This large volume of users engaging in commerce online, using real money and real goods, has attracted large numbers of cybercriminals.

Broadly speaking, the chain for real money theft in China is not too different from those elsewhere, as seen in the chart below:

There are many similarities between real money theft elsewhere and in China. Phishing, info-stealing malware, identity theft, and information theft are all part and parcel of information theft syndicates elsewhere. Similarly, the profit methods are not particularly different: money transfers and fake credit cards are to be found in prominence as well.
Read the rest of this entry »